Forget the Firewall: Better Application Security Could Have Prevented the Equifax Breach

Security breaches at big companies and government agencies, including the recent disaster at Equifax, continue to dominate the headlines.

One important point many of these news stories are missing, however, is that many of today’s breaches—including the one at Equifax– arose from a breakdown in “application security”. And given three big trends driving computing/IT today, we feel this corner of the cybersecurity market will only get more important.

So what is application security? Simply put, it means focusing on making individual software applications secure, instead of relying on things like firewalls or perimeter security to protect against outside cyber-attacks. Sometimes application security is referred to as “software security”, which specifically means building security into critical applications as they’re being developed, and before they’re deployed.

This is important today because, as we know, software development itself is going through a real sea change. Instead of writing and submitting code perhaps twice a week, many developers are checking in code five times a day. This is a core driver behind development trends like agile IT and DevOps. The more code that gets written, the more opportunities there are for insecure code to make its way into applications, and for security loopholes to crop up.

The fact that so much enterprise software today is built with freely available, open-source building blocks—another mega-trend in IT today—also opens up the possibility of more cyber-vulnerabilities, and highlights the need to better protect key applications. While plenty of open-source software is high-grade and enterprise-ready (see our Battery Open Source Software (BOSS) Index, which tracks the increasing use of this type of technology), open source essentially put the burden on the developer to assess security and patch bugs. The latest security patches are built by the community, but developers have to take control of them, since corporate security officers often don’t feel responsible for security solutions developed outside their organization. The Equifax debacle was driven by a bug in Apache Struts web-application software that Equifax had neglected to patch.

A final big trend in IT today—also driving the demand for application security—is the rise of cloud computing and multi-cloud models inside organizations. When companies run their operations on cloud services like Amazon Web Services or Microsoft Azure (or a combination of both), the traditional model of firewalls and perimeter security are not relevant. This is because 1) many cloud vendors are already offering this type of security as part of their offerings and 2) the new distributed/micro services based applications make the “attack surface” of applications that are potentially open to security breaches too large to contain through traditional methods.

All of this is, thankfully, freeing up CIOs to earmark more of their security budgets for application security, which simply makes more sense in today’s modern computing environment. In turn, many new security startups are being formed to offer these types of security solutions.

In our view, the ideal next-generation, application-security platform should do two things:

First, it should protect applications in production—or, in industry parlance, in “runtime.” This means the software should block all the malware and other types of malicious attacks on your banking, or gaming, or whatever type of app you’re building, while it’s running live in production.

Protecting applications in production requires understanding the application’s inherent logic and context. The old model of using WAFs (Web application firewalls) for security in production doesn’t do this. We’ll explain with an analogy: Using a WAF is like having a gate outside your house to protect against intruders. But no matter how tall a gate you build, once someone climbs over it, they’re in. To really protect your home, you need an active monitoring solution with technology like cameras and motion detectors to distinguish real bad guys from, say, your teenager coming home late, or your neighbor stopping by. This is similar to the manner in which a runtime cybersecurity solution needs to be close to the application in question and understand exactly how it works.

The second goal of a great, cutting-edge, application-security tool is to get developers to write better and more secure code in the first place. The more robust the code, the fewer risks of exposure to hackers later.

This is, of course, not easy to do. What helps is for the developers to have access to an interactive system to give them real-time feedback on the quality of the code they’re writing. In this age of agile software development and faster time to market, a non-intrusive, fast-yet- elegant and easy-to-use solution is key. Even more important, developers can be kept informed of all the attacks that are happening in production and thereby build a well-functioning feedback loop that will continue to build better security into the product.

All these trends are being addressed by one of our newest portfolio companies, as of today: Contrast Security.* Contrast’s platform is purpose-built for today’s busy software developer and DevOps-centric enterprise, and has the potential to fundamentally change the way organizations look at cybersecurity. We are excited to be working with CEO Alan Naumann and his team.

* No assumption should be made that the investment identified above was or will be profitable. It should also not be assumed that recommendations made in the future will be profitable or equal the performance of the company identified above. For a complete list of Battery Ventures’ investments, click here, and for additional information please see Section 1 of our Terms of Use.

Battery is a global, technology-focused investment firm pursuing the most promising companies and ideas. Founded in 1983, the firm makes venture-capital and private equity investments from offices in Boston, the San Francisco Bay Area, London and Israel. Follow the firm on Twitter
@BatteryVentures and find a full list of Battery's portfolio companies here.